Recipe 7.25: Encrypting Backups

Author's note: If someone steals one of your backup tapes, your sensitive information could become compromised. This recipe, excerpted from Chapter 7 on "Protecting Files," illustrates how to encrypt the contents of a backup tape using GnuPG (gpg), a popular encryption program for Linux and other operating systems.

where SPEED and SCSIDEVICE
are specific to your system; see cdrecord(1).

Method 2: Encrypt files separately.

Make a new directory containing links to your original files:

$ cp -lr mydir newdir

In the new directory, encrypt each file, and remove the links to the
unencrypted files:

$ find newdir -type f -exec gpg -e '{}' \; -exec rm '{}' \;

Back up the new directory with the encrypted data:

$ tar c newdir

Discussion

Method 1 produces a backup that may be considered fragile: one big encrypted
file. If part of the backup gets corrupted, you might be unable to decrypt any
of it.

Method 2 avoids this problem. The cp -l option creates
hard links, which can only be used within a single filesystem.
If you want the encrypted files on a separate filesystem, use symbolic links instead:

Note that a full, absolute pathname must be used for the original directory
in this case.

gpg does not preserve the owner, group, permissions, or
modification times of the files. To retain this information in your backups,
copy the attributes from the original files to the encrypted files, before the
links to the original files are deleted: